You access the Event Summary sidebar when you click an entry row in the Detection Events widget of the NSX Network Detection and ResponseEvents page.
The following section describes what you see on this sidebar. After the top section, subsequent sections display supporting data. Some sections are displayed only if relevant data is available.
- Top section
-
The top of the sidebar includes the following:
-
To close the sidebar, click the icon.
To view the event in the Event profile page, click Details . See Event Profile Page for more information.
If available, a brief description of the event is provided. It includes an explanation as to why the system flagged this event, identifies the threat or malware associated with this event, and briefly describes the detected activity.
-
- Threat Details
-
This section includes the following information.
Threat Detail Name
Description
Threat
Name of the detected security risk.
Threat Class
Name of the detected security risk class.
Event Detector
The name of the event detector. Click the link to view the Detector pop-up window. See Detector Documentation Pop-Up Window for details.
If there is no detector for the event, this section is not shown.
Impact
The impact value indicates the critical level of the detected threat and ranges from 1-100
Threats that are 70 or above are considered to be critical.
Threats that are between 30-69 are considered to be medium-risk.
Threats that are between 1-29 are considered to be benign.
Action
A list of actions taken by the sensor (for example, any blocking activities, whether the event is logged, whether traffic was captured, or a malware download was extracted).
Outcome
The outcome of the event. In most cases, this is Detection.
For Info events and events that were promoted from Info status, an additional label provides the reason for its status/status change. A pop-up window is displayed when you hover over the label, providing additional details about the reason.
First Seen Last Seen
A graph with the timestamp from when the evidence was first and last seen.
The Duration information is displayed below the graph.
- Event traffic
-
The Event traffic widget provides an overview of the traffic observed between the hosts involved in the event. At least one host involved in the event is a monitored host. The communicating host can be a monitored host or an external system. A link to view the Captured traffic is displayed, if the data is available.
The arrow indicates the traffic direction between the hosts.
For each host, the IP address is displayed. If the host is local, the address is a link that you can click to view the Host profile page. A geo-located flag, , or might be displayed. More than one might be displayed. If available, a host name is displayed. If available from DHCP traffic monitoring, the MAC address of the host is displayed. Any host tags applied to the host are displayed. If available, click to view host details in the WHOIS pop-up window.
- Event evidence
-
The Event evidence section lists various actions observed while analyzing the event. For more details, click the Event details link to view the Event evidence.
Actions include Signature, Reputation, Unusual behavior, File download, URL path match, Verification, Anomaly, and so on. If provided, click the link to view the corresponding Detector pop-up window A Confidence value is displayed for each action.
- Malware identification
-
If the NSX Malware Prevention application is activated, a summary of the detected malware is displayed. For more details, click the Analyst report link to view the Analysis report. See Using the Analysis Report for more information.
Detail Name
Description
Antivirus Class
A label defining the antivirus class of the downloaded file.
Antivirus Family
A label defining the antivirus family of the downloaded file.
Malware
A label defining the malware type of the downloaded file. If the label has a icon, you can click it for a pop-up description.
Behavior Overview
The detected behaviors of the downloaded file. If there is a lot of data, a partial list is displayed by default. Click Expand for more to view more. Toggle it closed again by clicking Collapse for less .
- Event URLs
-
The Event URLs section displays all the URLs detected in the event. This section appears only if the event is associated to a URL
- Event metadata
-
The Event metadata section displays the following data.
Data Name
Description
Related Incident
Click to view the related incident, if one is available.
Connections
The number of connections included in the event.
Related Campaign
Click to view the related campaign, if one is available.